<html>
<head><meta charset="utf-8"><title>build-time sandboxing · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html">build-time sandboxing</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="156703912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/156703912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#156703912">(Jan 23 2019 at 16:45)</a>:</h4>
<p>This keeps coming up: <a href="https://github.com/rust-secure-code/wg/issues/29" target="_blank" title="https://github.com/rust-secure-code/wg/issues/29">https://github.com/rust-secure-code/wg/issues/29</a></p>



<a name="157484933"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157484933" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157484933">(Feb 03 2019 at 21:45)</a>:</h4>
<p>Since this is a second line of defence and you're pwned regardless of whether we have it or not, I'm not sure I'm on board with this being a 2019 goal. There is already so much on our plates, and I'd expect better authenticating downloaded packages in the first place to take priority.</p>



<a name="157486256"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157486256" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157486256">(Feb 03 2019 at 22:27)</a>:</h4>
<blockquote>
<p>you're pwned regardless of whether we have it or not</p>
</blockquote>
<p>Are you referring to having the resulting build contaminated whether there is a sandbox or not?</p>



<a name="157486470"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157486470" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157486470">(Feb 03 2019 at 22:32)</a>:</h4>
<p>Yes.</p>



<a name="157543454"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543454" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543454">(Feb 04 2019 at 18:20)</a>:</h4>
<p>I was encouraged by seeing crater disable network access</p>



<a name="157543468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543468">(Feb 04 2019 at 18:20)</a>:</h4>
<p>that leads me to believe that crates aren't presently doing things like hitting the network during builds</p>



<a name="157543505"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543505" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543505">(Feb 04 2019 at 18:21)</a>:</h4>
<p>for a "do no harm" sandbox, the longer you wait, the harder it will be to retrofit restrictions</p>



<a name="157543575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543575">(Feb 04 2019 at 18:22)</a>:</h4>
<p>and yes... it seems people have pretty polarized opinions on this</p>



<a name="157543780"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543780" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543780">(Feb 04 2019 at 18:24)</a>:</h4>
<p>on the one hand, there's the "RCE? game over man, game over" argument <a href="https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658/21" target="_blank" title="https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658/21">https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658/21</a></p>



<a name="157543868"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543868" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543868">(Feb 04 2019 at 18:25)</a>:</h4>
<p>Attacking at build-time allows for a fly-by-night attack that leaves no forensic evidence and potentially permits lateral movement</p>



<a name="157543885"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543885" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543885">(Feb 04 2019 at 18:25)</a>:</h4>
<p>as such, it's also the superset of the alternative, which is to trojan the target artifact</p>



<a name="157543957"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157543957" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157543957">(Feb 04 2019 at 18:26)</a>:</h4>
<p>to me, one of these things is clearly worse than the other</p>



<a name="157544119"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544119" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544119">(Feb 04 2019 at 18:29)</a>:</h4>
<p>speaking as someone who used to work on a DFIR team for several years... a non-build-script attack leaves forensic evidence not just in the target binary, but in the original source code</p>



<a name="157544135"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544135" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544135">(Feb 04 2019 at 18:29)</a>:</h4>
<p>that makes finding the payload a matter of examining the source of the original crate</p>



<a name="157544142"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544142" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544142">(Feb 04 2019 at 18:29)</a>:</h4>
<p>you don't get that guarantee with build scripts</p>



<a name="157544214"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544214" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544214">(Feb 04 2019 at 18:30)</a>:</h4>
<p>they could grab a malicious payload off the Internet, and do it in such a way that thwarts attempts by researchers to discover it</p>



<a name="157544240"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544240" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544240">(Feb 04 2019 at 18:30)</a>:</h4>
<p>build-time attacks are much, much more worrisome to me</p>



<a name="157544266"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544266" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544266">(Feb 04 2019 at 18:31)</a>:</h4>
<blockquote>
<p>that leads me to believe that crates aren't presently doing things like hitting the network during builds</p>
</blockquote>
<p>I've seen crates that download code using git to build a C dependency.</p>



<a name="157544364"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544364" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544364">(Feb 04 2019 at 18:32)</a>:</h4>
<p>huh... do those pass crater?</p>



<a name="157544423"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544423" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544423">(Feb 04 2019 at 18:32)</a>:</h4>
<p>I'm going to guess no</p>



<a name="157544432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544432">(Feb 04 2019 at 18:32)</a>:</h4>
<p>No idea. The only example I know of is in crosvm's new vTPM code.</p>



<a name="157544446"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544446" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544446">(Feb 04 2019 at 18:32)</a>:</h4>
<p>happen to know a crate name?</p>



<a name="157544468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544468">(Feb 04 2019 at 18:33)</a>:</h4>
<p>dtolnay might. I got the impression he got the idea from another crate.</p>



<a name="157544521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544521">(Feb 04 2019 at 18:33)</a>:</h4>
<p>to me the "proper" way to do that is a git submodule in the original repo, and then that can just package the source at the commit the submodule is pinned to into the resulting crate...</p>



<a name="157544522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544522">(Feb 04 2019 at 18:33)</a>:</h4>
<p>The idea is that the source is downloaded and built only when the platform hasn't already installed a static lib.</p>



<a name="157544527"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544527" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544527">(Feb 04 2019 at 18:33)</a>:</h4>
<p>aah</p>



<a name="157544606"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544606" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544606">(Feb 04 2019 at 18:34)</a>:</h4>
<p>Agreed that crates should have a more graceful way of using third-party code than downloading in <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a>.</p>



<a name="157544695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544695">(Feb 04 2019 at 18:35)</a>:</h4>
<p>if you happen to know the name of such a crate, I'd be interested in investigating how crater handles those crates</p>



<a name="157544760"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544760" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544760">(Feb 04 2019 at 18:36)</a>:</h4>
<p>the fact crater is shutting off things like network access to operate kind of speaks to the need for the general feature, IMO...</p>



<a name="157544782"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157544782" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157544782">(Feb 04 2019 at 18:36)</a>:</h4>
<p>but maybe I'm just a fan of POLA <span aria-label="stuck out tongue wink" class="emoji emoji-1f61c" role="img" title="stuck out tongue wink">:stuck_out_tongue_wink:</span></p>



<a name="157545150"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545150" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545150">(Feb 04 2019 at 18:40)</a>:</h4>
<p>Found one: <a href="https://github.com/tversteeg/castle-game/blob/master/build.rs" target="_blank" title="https://github.com/tversteeg/castle-game/blob/master/build.rs">https://github.com/tversteeg/castle-game/blob/master/build.rs</a></p>



<a name="157545164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545164">(Feb 04 2019 at 18:40)</a>:</h4>
<p><a href="https://crates.io/crates/castle-game" target="_blank" title="https://crates.io/crates/castle-game">https://crates.io/crates/castle-game</a></p>



<a name="157545219"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545219" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545219">(Feb 04 2019 at 18:41)</a>:</h4>
<p>I just looked through a few pages of crates that depend on git2 and this was the first one I found that used it in <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> for downloading.</p>



<a name="157545409"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545409" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545409">(Feb 04 2019 at 18:43)</a>:</h4>
<p>it's listed as "skipped" in crater</p>



<a name="157545650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545650">(Feb 04 2019 at 18:46)</a>:</h4>
<p>Where can I get this crater information?</p>



<a name="157545677"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545677" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545677">(Feb 04 2019 at 18:47)</a>:</h4>
<p>it doesn't exactly have the world's most usable/browsable UI, heh</p>



<a name="157545689"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545689" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545689">(Feb 04 2019 at 18:47)</a>:</h4>
<p><a href="https://crater-reports.s3.amazonaws.com/beta-1.33-1/index.html" target="_blank" title="https://crater-reports.s3.amazonaws.com/beta-1.33-1/index.html">https://crater-reports.s3.amazonaws.com/beta-1.33-1/index.html</a></p>



<a name="157545716"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157545716" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157545716">(Feb 04 2019 at 18:47)</a>:</h4>
<p><a href="https://crater.rust-lang.org/ex/beta-1.33-1" target="_blank" title="https://crater.rust-lang.org/ex/beta-1.33-1">https://crater.rust-lang.org/ex/beta-1.33-1</a></p>



<a name="157706315"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157706315" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157706315">(Feb 06 2019 at 17:07)</a>:</h4>
<p>hmmm some discussion of external dependency handling here <a href="https://internals.rust-lang.org/t/external-dependencies-in-declarative-format/9372" target="_blank" title="https://internals.rust-lang.org/t/external-dependencies-in-declarative-format/9372">https://internals.rust-lang.org/t/external-dependencies-in-declarative-format/9372</a></p>



<a name="157736070"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157736070" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157736070">(Feb 06 2019 at 23:14)</a>:</h4>
<p>I'm not wading into this thread, but if everyone is on the same page that we should sandbox, I'm happy to review/write whatevers needed by way of a sandboxing library.</p>



<a name="157736337"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157736337" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157736337">(Feb 06 2019 at 23:18)</a>:</h4>
<p>I think it'd be at least be interesting to build a prototype with something like gaol</p>



<a name="157736352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157736352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157736352">(Feb 06 2019 at 23:18)</a>:</h4>
<p>having something tangible to talk about at least breaks the endless pontificating cycle</p>



<a name="157786646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157786646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Cem Karan <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157786646">(Feb 07 2019 at 15:50)</a>:</h4>
<p>Is depending on containers (at least for right now) out of the question?</p>



<a name="157786718"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157786718" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Cem Karan <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157786718">(Feb 07 2019 at 15:51)</a>:</h4>
<p>I know that could make for a heavy-weight dependency, and it could be a headache for supporting multiple platforms, but until gaol is considered to be production ready, containers may be a good option.</p>



<a name="157801411"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/157801411" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#157801411">(Feb 07 2019 at 18:43)</a>:</h4>
<p>Containers are chroot+cgroups with a bunch of tooling on top. They do not really introduce much in the way of dependencies - they just need a kernel with those facilities, such as Linux, FreeBSD or Solaris/Illumos. This means that MacOS and Windows would be missing out.</p>



<a name="158010114"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158010114" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158010114">(Feb 11 2019 at 06:38)</a>:</h4>
<p>see also namespaces+seccomp, which are IMO the more interesting tools for security. as it were, gaol provides a cross-platform abstraction to those and, well... not entirely dissimilar facilities on other operating systems (not entirely similar either, but "best sandbox for the current OS" is probably a reasonable goal)</p>



<a name="158056787"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158056787" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158056787">(Feb 11 2019 at 19:23)</a>:</h4>
<p>spitballing her: for tackling the cross-platform issue: what if the build script were compiled to wasm and run with an OS-agnostic abi?</p>



<a name="158130646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158130646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158130646">(Feb 12 2019 at 16:28)</a>:</h4>
<p>I saw there was a WASM + CloudABI project as it were... but that seems like a substantially larger change than just sandboxing the build script</p>



<a name="158130676"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158130676" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158130676">(Feb 12 2019 at 16:29)</a>:</h4>
<p>what's nice about using something like gaol is crate consumers could opt into giving the build script all of the access ones today have</p>



<a name="158130691"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158130691" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158130691">(Feb 12 2019 at 16:29)</a>:</h4>
<p>aah yeah this: <a href="https://github.com/CraneStation/wasmtime" target="_blank" title="https://github.com/CraneStation/wasmtime">https://github.com/CraneStation/wasmtime</a></p>



<a name="158130695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158130695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158130695">(Feb 12 2019 at 16:29)</a>:</h4>
<p>fun name <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="158760909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158760909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158760909">(Feb 17 2019 at 22:03)</a>:</h4>
<p>apparently Amazon wrote a tool of this ilk for Firecracker: <a href="https://github.com/firecracker-microvm/firecracker/blob/master/docs/jailer.md" target="_blank" title="https://github.com/firecracker-microvm/firecracker/blob/master/docs/jailer.md">https://github.com/firecracker-microvm/firecracker/blob/master/docs/jailer.md</a></p>



<a name="158761041"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/158761041" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#158761041">(Feb 17 2019 at 22:07)</a>:</h4>
<p>Seems similar to minijail which we use in crosvm and in Chrome OS</p>



<a name="161480654"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161480654" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161480654">(Mar 22 2019 at 20:24)</a>:</h4>
<p>hi there, considering that most people are importing dependencies without reading their code and that these can contain build scripts or procedural macros that can compromise one's computer, I was thinking we should maybe provide a sandboxed offline compilation process by default in Cargo (SELinux, Hyper-V APIs, jail). What is your opinion on such a thing?</p>
<p>I'm also thinking about RLS that automatically compiles dependencies, which means it's automatically running untrusted code unsandboxed.</p>



<a name="161481285"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161481285" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161481285">(Mar 22 2019 at 20:33)</a>:</h4>
<p>There is already a topic for this that you might want to read through and repost your question: "build-time sandboxing"</p>



<a name="161481459"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161481459" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161481459">(Mar 22 2019 at 20:35)</a>:</h4>
<p>Yes sorry, I have realized, happy to see it's already being discussed.</p>



<a name="161481696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161481696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161481696">(Mar 22 2019 at 20:38)</a>:</h4>
<p>So I wanted to insist on the fact that this has to be default in everyone's development environment else the risk wont be mitigated</p>



<a name="161481818"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161481818" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161481818">(Mar 22 2019 at 20:40)</a>:</h4>
<p>There's also a problem that I see, it's that we couldnt flag crates that perform network access in build scripts or macros on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> because these can always set up a buffer with shellcode and run networked malware there.</p>



<a name="161482014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161482014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161482014">(Mar 22 2019 at 20:42)</a>:</h4>
<p>I don't think that any build script or procedural macro code should ever be allowed to access the network.</p>



<a name="161489712"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161489712" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161489712">(Mar 22 2019 at 22:31)</a>:</h4>
<p>I mean, I'm sure someone will come up with reasons why they need their build script to do so. Off-hand, I'm thinking of cases where you want to ask the build script to automatically update to the upstream version. But by default, no, no build-time code should be able to access the network or arbitrary places on the FS or even arbitrary syscalls. Whatever solution is engineered will need an escape hatch.</p>



<a name="161490214"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490214" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490214">(Mar 22 2019 at 22:38)</a>:</h4>
<p>Is downloading a C library if it's not installed locally still a thing? I imagine it would be pretty big on Windows</p>



<a name="161490280"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490280" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490280">(Mar 22 2019 at 22:39)</a>:</h4>
<p>It was a thing?!</p>



<a name="161490297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490297">(Mar 22 2019 at 22:39)</a>:</h4>
<p>Yeah, it's pretty convenient for ssl and zlib wrappers that are in the ecosystem.</p>



<a name="161490300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490300">(Mar 22 2019 at 22:39)</a>:</h4>
<p>Oh, you mean for -sys crates.</p>



<a name="161490356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490356">(Mar 22 2019 at 22:40)</a>:</h4>
<p>Probably. submodules would be better, but people don't use/understand them.</p>



<a name="161490542"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490542" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490542">(Mar 22 2019 at 22:43)</a>:</h4>
<p>What kind of submodules? I hope you don't mean git submodules?</p>



<a name="161490617"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161490617" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161490617">(Mar 22 2019 at 22:44)</a>:</h4>
<p>But yeah, this is a thing, and this practice is especially horrifying for something like OpenSSL that gets a new batch of vulnerabilities every 3 months or so, because you get this thing statically linked with no record of which version compiled or even downloaded. And the worst part is that while on Linux you have an easy way to install these libs, on Windows you don't - or at least, it didn't have anything like that back when I last saw it 10 years ago.</p>



<a name="161491205"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491205" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491205">(Mar 22 2019 at 22:53)</a>:</h4>
<p>Yes, git submodules? Why not?</p>



<a name="161491253"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491253" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491253">(Mar 22 2019 at 22:53)</a>:</h4>
<p>Opinion/rant: git submodules solves its problem domain in such a confusing way that it poisons any future attempts to improve on its problem domain. Kind of like PGP.</p>



<a name="161491378"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491378" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491378">(Mar 22 2019 at 22:55)</a>:</h4>
<p>No submodules would be way better than what git ended up with.</p>



<a name="161491440"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491440" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491440">(Mar 22 2019 at 22:56)</a>:</h4>
<p>Although compared to the rest of user-facing parts of git it doesn't even stand out all that much</p>



<a name="161491521"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491521" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491521">(Mar 22 2019 at 22:58)</a>:</h4>
<p>Frankly I do not see how git submodules are relevant to crates published on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a></p>



<a name="161491610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491610">(Mar 22 2019 at 22:59)</a>:</h4>
<p>I guess the equivalent idea is one could upload sidecar zips to <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> that could be optionally downloaded if the build script wanted it.</p>



<a name="161491723"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491723" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491723">(Mar 22 2019 at 23:00)</a>:</h4>
<p>You can't have real networking, but you can have safety-scissors that are impossible to cut yourself with.</p>



<a name="161491749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491749">(Mar 22 2019 at 23:00)</a>:</h4>
<p>This... actually sounds like a pretty great idea.</p>



<a name="161491772"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491772" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491772">(Mar 22 2019 at 23:01)</a>:</h4>
<p>Quick, jot it down in <a href="https://github.com/rust-secure-code/wg/issues/29" target="_blank" title="https://github.com/rust-secure-code/wg/issues/29">https://github.com/rust-secure-code/wg/issues/29</a></p>



<a name="161491778"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491778" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491778">(Mar 22 2019 at 23:01)</a>:</h4>
<p>ok</p>



<a name="161491786"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491786" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491786">(Mar 22 2019 at 23:01)</a>:</h4>
<p>Well, I like submodules as implemented in the plumbing (the porcelain for them is terrible). Most importantly, they propagate the core git guarantee -- if you download a specific sha1 you get exactly the same tree.</p>



<a name="161491864"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161491864" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161491864">(Mar 22 2019 at 23:02)</a>:</h4>
<p>I don't think cargo downloads crates with git though. I thought it downloaded zips.</p>



<a name="161492052"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492052" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492052">(Mar 22 2019 at 23:04)</a>:</h4>
<p>Ah, that I did not know. Why not have people package up their C dependencies then?</p>



<a name="161492117"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492117" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492117">(Mar 22 2019 at 23:05)</a>:</h4>
<p>I mean, first question is how hard is that to do? If it's hard to do, we should fix that first.</p>



<a name="161492131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492131">(Mar 22 2019 at 23:05)</a>:</h4>
<p>(I have never published a crate...)</p>



<a name="161492197"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492197" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492197">(Mar 22 2019 at 23:06)</a>:</h4>
<p>Depending on the source being packaged, it may be very large.</p>



<a name="161492209"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492209" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492209">(Mar 22 2019 at 23:06)</a>:</h4>
<p>It's also not always necessary if pkg-config can just give them a lib from the system.</p>



<a name="161492221"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492221" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492221">(Mar 22 2019 at 23:06)</a>:</h4>
<p>Hence sidecar zips?</p>



<a name="161492234"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492234" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492234">(Mar 22 2019 at 23:06)</a>:</h4>
<p>Alternatively one could specify URL+hash pairs somewhere.</p>



<a name="161492236"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492236" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492236">(Mar 22 2019 at 23:06)</a>:</h4>
<p>I guess. Honestly I'm not certain it's a good solution. I was only spit-balling ideas.</p>



<a name="161492259"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492259" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492259">(Mar 22 2019 at 23:07)</a>:</h4>
<p>It's not a terrible idea. But I'm reading the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> docs and they have a strict 10MB limit on .crate files.</p>



<a name="161492260"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492260" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492260">(Mar 22 2019 at 23:07)</a>:</h4>
<p>URL+hash seems reasonable, assuming the URLs are pinned down to trusted domains</p>



<a name="161492269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492269">(Mar 22 2019 at 23:07)</a>:</h4>
<p>trusted domains?</p>



<a name="161492281"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492281" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492281">(Mar 22 2019 at 23:07)</a>:</h4>
<p>Are you concerned about leaking information about who's downloading?</p>



<a name="161492328"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492328" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492328">(Mar 22 2019 at 23:08)</a>:</h4>
<p>Yeah. If cargo contacted a domain controlled by an attacker, that would probably violate what people imagine a "sandbox" is good for.</p>



<a name="161492386"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492386" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492386">(Mar 22 2019 at 23:08)</a>:</h4>
<p>I also want to reserve the option of caching/rewriting/mirroring domains for the purposes of hermetic build systems, like the kind in Chrome OS.</p>



<a name="161492410"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492410" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492410">(Mar 22 2019 at 23:09)</a>:</h4>
<p>Although I suppose the "hash" part solves the issue well enough.</p>



<a name="161492412"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492412" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492412">(Mar 22 2019 at 23:09)</a>:</h4>
<p>You get that from the hash, though. Your build system can look up that hash wherever it wants</p>



<a name="161492416"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492416" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492416">(Mar 22 2019 at 23:09)</a>:</h4>
<p>The URL is just a hint</p>



<a name="161492471"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492471" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492471">(Mar 22 2019 at 23:10)</a>:</h4>
<p>But most people won't have a pre-mirrored system but would still like a sandbox.</p>



<a name="161492500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492500">(Mar 22 2019 at 23:10)</a>:</h4>
<p>Most people won't care about the leak.</p>



<a name="161492520"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492520" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492520">(Mar 22 2019 at 23:11)</a>:</h4>
<p>Most people don't care about build time sandboxing either.</p>



<a name="161492523"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492523" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492523">(Mar 22 2019 at 23:11)</a>:</h4>
<p>They want a sandbox to protect their systems, not their privacy.</p>



<a name="161492529"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492529" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492529">(Mar 22 2019 at 23:11)</a>:</h4>
<p>Who are we building this sandbox for?</p>



<a name="161492537"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492537" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492537">(Mar 22 2019 at 23:11)</a>:</h4>
<p>Fair question.</p>



<a name="161492557"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492557" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492557">(Mar 22 2019 at 23:11)</a>:</h4>
<p>Time for a product requirements document!</p>



<a name="161492622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492622">(Mar 22 2019 at 23:12)</a>:</h4>
<p>Also, malware that is being distributed through <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> can be purged. Malware that is distributed from a attacker controlled server that cargo is directed to download from is harder to purge.</p>



<a name="161492645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492645">(Mar 22 2019 at 23:13)</a>:</h4>
<p>So I would argue it's not only privacy being preserved.</p>



<a name="161492660"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492660" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492660">(Mar 22 2019 at 23:13)</a>:</h4>
<p>you also get an audit trail that way, since <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> is supposedly immutable</p>



<a name="161492666"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492666" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492666">(Mar 22 2019 at 23:13)</a>:</h4>
<p>Audit trail of... the malware?</p>



<a name="161492683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492683">(Mar 22 2019 at 23:14)</a>:</h4>
<p>The people who downloaded it?</p>



<a name="161492713"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492713" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492713">(Mar 22 2019 at 23:14)</a>:</h4>
<p>Sorry, getting distracted.</p>



<a name="161492716"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492716" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492716">(Mar 22 2019 at 23:14)</a>:</h4>
<p>Who is the sandbox for?</p>



<a name="161492734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492734">(Mar 22 2019 at 23:15)</a>:</h4>
<p>The first tranche is obviously the majority -- don't care until they get malware on their box or in their product.</p>



<a name="161492752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492752">(Mar 22 2019 at 23:15)</a>:</h4>
<p>I would think it is for everybody to run by default unless they have a very good reason not to.</p>



<a name="161492758"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492758" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492758">(Mar 22 2019 at 23:15)</a>:</h4>
<p>We can't do anything about the product side, obviously.</p>



<a name="161492763"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492763" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492763">(Mar 22 2019 at 23:15)</a>:</h4>
<p>Good reasons might be legacy crates or the crate is from a trusted party (i.e. an internal team wrote it).</p>



<a name="161492815"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161492815" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161492815">(Mar 22 2019 at 23:16)</a>:</h4>
<p>(We should also model the attack side, which means we're really building a full threat model.)</p>



<a name="161493131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493131">(Mar 22 2019 at 23:21)</a>:</h4>
<p>I guess we can start with the easy stuff:<br>
The attacker has control over the Cargo.toml/Cargo.lock and can upload arbitrary zips to <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> under crate names that they own.</p>



<a name="161493208"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493208" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493208">(Mar 22 2019 at 23:22)</a>:</h4>
<p>The attacker can perform a <code>cargo build</code> but can <strong>not</strong> do a <code>cargo test</code> or <code>cargo run</code></p>



<a name="161493250"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493250" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493250">(Mar 22 2019 at 23:23)</a>:</h4>
<p>Control over my Cargo.toml? How?</p>



<a name="161493328"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493328" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493328">(Mar 22 2019 at 23:24)</a>:</h4>
<p>They gave you a really cool demo on hackernews and explained how you too can make your own ray-traced doom clone with this nice crate.</p>



<a name="161493354"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493354" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493354">(Mar 22 2019 at 23:24)</a>:</h4>
<p>Sure, so you copy-pasted their Cargo.toml including some weird directives they said were needed to make it work.</p>



<a name="161493367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493367">(Mar 22 2019 at 23:24)</a>:</h4>
<p>Why can the attacker build but not run?</p>



<a name="161493418"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493418" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493418">(Mar 22 2019 at 23:25)</a>:</h4>
<p>How are we going to sandbox arbitrary rust programs?</p>



<a name="161493450"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493450" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493450">(Mar 22 2019 at 23:25)</a>:</h4>
<p>Oh, I see. You're saying only build is in scope.</p>



<a name="161493454"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493454" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493454">(Mar 22 2019 at 23:25)</a>:</h4>
<p>The rust program is probably going to be doing something useful most of the time. We can't hope to sandbox it without everybody disabling it all the time.</p>



<a name="161493520"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493520" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493520">(Mar 22 2019 at 23:26)</a>:</h4>
<p>Yeah, most build scripts do a common subset of simple things.</p>



<a name="161493834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493834">(Mar 22 2019 at 23:30)</a>:</h4>
<p>I think "download this external archive so I can compile it" is a pretty common thing and easy to provide a safe(r) API for.</p>



<a name="161493850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493850">(Mar 22 2019 at 23:30)</a>:</h4>
<p>Agreed</p>



<a name="161493895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493895">(Mar 22 2019 at 23:31)</a>:</h4>
<p>Probably what we need to do is make a simple sandbox and crater it.</p>



<a name="161493898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161493898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> JP Sugarbroad <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161493898">(Mar 22 2019 at 23:31)</a>:</h4>
<p>See what breaks.</p>



<a name="161496705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161496705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161496705">(Mar 23 2019 at 00:22)</a>:</h4>
<p>Crater already prohibits network access, so there's that</p>



<a name="161497940"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161497940" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161497940">(Mar 23 2019 at 00:46)</a>:</h4>
<p>I believe it is pretty common for people to do it (see e.g. <a href="https://github.com/danburkert/prost/commit/e0317f83958892d716e99423f07525db5c7469e6#diff-3457fb1ebde739813ad9692cad895f1f" target="_blank" title="https://github.com/danburkert/prost/commit/e0317f83958892d716e99423f07525db5c7469e6#diff-3457fb1ebde739813ad9692cad895f1f">https://github.com/danburkert/prost/commit/e0317f83958892d716e99423f07525db5c7469e6#diff-3457fb1ebde739813ad9692cad895f1f</a>) and people don't understand why (for so many reasons) why they shouldn't. I see that as a quite distinct issue from sandboxing the build, though.</p>



<a name="161498073"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498073" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498073">(Mar 23 2019 at 00:50)</a>:</h4>
<p>Note in particular that I ended up embedding like 20MB of executables into that crate in order to avoid the network access.</p>



<a name="161498094"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498094" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498094">(Mar 23 2019 at 00:50)</a>:</h4>
<p>...so you've embedded OpenSSL and now you need to issue a security update to your crate every time they find yet another CVE in that thing?</p>



<a name="161498129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498129">(Mar 23 2019 at 00:51)</a>:</h4>
<p>I don't think we embedded OpenSSL into PROST directly or indirectly since i think those executables don't do network I/O.</p>



<a name="161498179"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498179" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498179">(Mar 23 2019 at 00:52)</a>:</h4>
<p>But, in the case of rust-openssl or similar, yes you would.</p>



<a name="161498298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498298">(Mar 23 2019 at 00:55)</a>:</h4>
<p>"Importantly, this eliminates very heavy and brittle non-Rust dependencies<br>
including in particular curl and OpenSSL." says the commit message</p>



<a name="161498300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498300">(Mar 23 2019 at 00:55)</a>:</h4>
<p>Right, because OpenSSL was used to download the files.</p>



<a name="161498303"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498303" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498303">(Mar 23 2019 at 00:55)</a>:</h4>
<p>oooh</p>



<a name="161498304"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498304" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498304">(Mar 23 2019 at 00:55)</a>:</h4>
<p>Since the downloading was removed, OpenSSL dep was removed.</p>



<a name="161498477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498477">(Mar 23 2019 at 00:59)</a>:</h4>
<p>Anyway, I think that to realistically have a chance at implementing a sandbox that blocks network I/O by default (and if not by default, why bother?) and/or all the time (ideally), one would need to implement a new build stage, separate from <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a>, that can be used for downloading dependencies.</p>



<a name="161498556"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498556" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498556">(Mar 23 2019 at 01:00)</a>:</h4>
<p>Similarly, people embed executables in <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a>, there would probably need to be some mechanism for whitelisting/approving the execution of such embedded executables, if blocking them is to be blocked by default.</p>



<a name="161498702"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161498702" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161498702">(Mar 23 2019 at 01:03)</a>:</h4>
<p>I don't actually mind embedding executables because proc macros can do literally anything anyway. You already got arbitrary code in, congratulations.</p>



<a name="161499177"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161499177" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161499177">(Mar 23 2019 at 01:12)</a>:</h4>
<p>I would assume that people expect proc macros to be safer because they can read the code.</p>



<a name="161499203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161499203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161499203">(Mar 23 2019 at 01:13)</a>:</h4>
<p>I seem to remember that when the executables in PROST get updated, some doc enumerating their SHA-256(?) hashes and the source of the executable gets updated.</p>



<a name="161520356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161520356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161520356">(Mar 23 2019 at 10:55)</a>:</h4>
<p>Well, you can always embed a long hex string with a compiled binary in your source code</p>



<a name="161534391"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161534391" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161534391">(Mar 23 2019 at 17:16)</a>:</h4>
<p>Let's assume the download of source code is handled safely. The next thing that is typically done is executing gcc/clang/make on it. That seems really hard to sandbox because essentially arbitrary and highly complex binaries are being fed attacker controlled input.</p>



<a name="161553807"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553807" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553807">(Mar 24 2019 at 02:07)</a>:</h4>
<p>wow discussion</p>



<a name="161553808"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553808" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553808">(Mar 24 2019 at 02:07)</a>:</h4>
<p>/me scrolls up</p>



<a name="161553813"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553813" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553813">(Mar 24 2019 at 02:07)</a>:</h4>
<p>so uhh</p>



<a name="161553857"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553857" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553857">(Mar 24 2019 at 02:08)</a>:</h4>
<p>people who want to hit the network to download some external asset/what have you</p>



<a name="161553860"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553860" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553860">(Mar 24 2019 at 02:08)</a>:</h4>
<p>that seems like a gross hack</p>



<a name="161553862"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553862" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553862">(Mar 24 2019 at 02:08)</a>:</h4>
<p>what is the justification as opposed to packaging the thing you'd otherwise download in the crate itself?</p>



<a name="161553863"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553863" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553863">(Mar 24 2019 at 02:08)</a>:</h4>
<p>microoptimizing bandwidth?</p>



<a name="161553875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553875">(Mar 24 2019 at 02:09)</a>:</h4>
<p>it seems like there's a boring KISS solution to this problem and it's "put the thing you'd otherwise hit the network to download in the crate and you're done"</p>



<a name="161553924"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553924" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553924">(Mar 24 2019 at 02:10)</a>:</h4>
<p>shelling out to git/curl/etc from <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> seems like a cargo-culted antipattern which is probably best eliminated</p>



<a name="161553986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161553986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161553986">(Mar 24 2019 at 02:12)</a>:</h4>
<p>Probably the best way to eliminate it is to find the commonality and make it easier to do something better.</p>



<a name="161554007"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554007" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554007">(Mar 24 2019 at 02:13)</a>:</h4>
<p>1) add git submodule for the code you'd otherwise use <code>build.rs</code> to go clone<br>
2) package said code into your crate<br>
3) you're done</p>



<a name="161554059"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554059" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554059">(Mar 24 2019 at 02:14)</a>:</h4>
<p>[img:thereisnospoon] "there is no <code>build.rs</code>"</p>



<a name="161554077"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554077" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554077">(Mar 24 2019 at 02:15)</a>:</h4>
<p>or any need for new cargo features, barring a legitimate need to microoptimize bandwidth in the case crates have, umm, "optional assets"</p>



<a name="161554084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554084">(Mar 24 2019 at 02:15)</a>:</h4>
<p>The code is usually C, so a <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> is needed to build it.</p>



<a name="161554128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554128">(Mar 24 2019 at 02:16)</a>:</h4>
<p>that sort of thing feels like playing with fire in terms of things like reliable or better yet reproducible builds... or binary transparency efforts (for, say, a hypothetical future community build server)</p>



<a name="161554131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554131">(Mar 24 2019 at 02:16)</a>:</h4>
<p>The size restrictions of 10MB on <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> means you can't put all the code in.</p>



<a name="161554132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554132">(Mar 24 2019 at 02:16)</a>:</h4>
<p>haha yeah sure I'm not talking about the <code>cc</code> crate <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="161554147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554147">(Mar 24 2019 at 02:17)</a>:</h4>
<p>so the counterpoint to concerns about the feasibility of shoving everything into a crate are... <code>left-pad</code></p>



<a name="161554150"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554150" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554150">(Mar 24 2019 at 02:17)</a>:</h4>
<p>or reproducible builds</p>



<a name="161554156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554156">(Mar 24 2019 at 02:17)</a>:</h4>
<p>I guess my question about 10MB is: what isn't fitting into 10MB at the moment?</p>



<a name="161554222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554222">(Mar 24 2019 at 02:19)</a>:</h4>
<p>some option for optional external assets would be interesting, but I'd also be curious what the real-world use cases are</p>



<a name="161554223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554223">(Mar 24 2019 at 02:19)</a>:</h4>
<p>LLVM?</p>



<a name="161554285"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554285" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554285">(Mar 24 2019 at 02:21)</a>:</h4>
<p>I guess the next question is "who is the custodian of these assets who is volunteering to indefinitely and reliably host them for free?"</p>



<a name="161554332"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554332" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554332">(Mar 24 2019 at 02:22)</a>:</h4>
<p>but that said, aside from the 10MB limit the right answer to me is to put the relevant external artifacts directly into the published crate</p>



<a name="161554340"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554340" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554340">(Mar 24 2019 at 02:22)</a>:</h4>
<p>Usually the external artifacts are optional.</p>



<a name="161554341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554341">(Mar 24 2019 at 02:22)</a>:</h4>
<p>sure, but nobody's forcing you to use them</p>



<a name="161554344"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554344" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554344">(Mar 24 2019 at 02:23)</a>:</h4>
<p>That is, if your system already has LLVM or openssl or whatever, you can simply use that.</p>



<a name="161554354"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554354" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554354">(Mar 24 2019 at 02:23)</a>:</h4>
<p>if you download them and don't use them, that's what I was describing as "optimizing bandwidth"</p>



<a name="161554362"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554362" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554362">(Mar 24 2019 at 02:23)</a>:</h4>
<p>My thinking is that as long as people want to optimize bandwidth, which they seem to do, we need to make it easiest to do it in a safe manner.</p>



<a name="161554363"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554363" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554363">(Mar 24 2019 at 02:23)</a>:</h4>
<p>which is a concern I would rate lower than "<code>build.rs</code> is shelling out to random tools to attempt to obtain essential build artifacts that may have disappeared from wherever they were originally supposed to be hosted"</p>



<a name="161554409"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554409" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554409">(Mar 24 2019 at 02:24)</a>:</h4>
<p>yes, but that's a microoptimization...</p>



<a name="161554415"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554415" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554415">(Mar 24 2019 at 02:24)</a>:</h4>
<p>I can understand that perspective.</p>



<a name="161554428"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554428" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554428">(Mar 24 2019 at 02:25)</a>:</h4>
<p>if a Rust-friendly CDN provider were to volunteer to be the custodian of the "optional crate asset archive" I could see something like that happening</p>



<a name="161554429"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554429" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554429">(Mar 24 2019 at 02:25)</a>:</h4>
<p>But on the other hand, it's usually downloading several times the size of the original crate.</p>



<a name="161554431"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554431" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554431">(Mar 24 2019 at 02:25)</a>:</h4>
<p>I would assume the custodian would have to be <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a></p>



<a name="161554432"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554432" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554432">(Mar 24 2019 at 02:25)</a>:</h4>
<p>but anything short of that seems kinda gross to me</p>



<a name="161554476"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554476" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554476">(Mar 24 2019 at 02:26)</a>:</h4>
<p>well I assume that 10MB limit is there for a reason</p>



<a name="161554477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554477">(Mar 24 2019 at 02:26)</a>:</h4>
<p>but perhaps it could be raised?</p>



<a name="161554482"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554482" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554482">(Mar 24 2019 at 02:26)</a>:</h4>
<p>It would be nice to find out. Does anybody have contacts on the team?</p>



<a name="161554492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554492">(Mar 24 2019 at 02:27)</a>:</h4>
<p>can look in either the infra IRC or Discord channels I guess? I assume the latter is the current place</p>



<a name="161554542"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554542" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554542">(Mar 24 2019 at 02:28)</a>:</h4>
<p>but I'm really wondering now how much crazysauce abuse of <code>build.rs</code> to go grab random code from git could be trivially replaced with a git submodule whose contents are published as part of a crate</p>



<a name="161554547"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554547" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554547">(Mar 24 2019 at 02:29)</a>:</h4>
<p>say, small, infrequently updated libraries</p>



<a name="161554556"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554556" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554556">(Mar 24 2019 at 02:29)</a>:</h4>
<p>there might be a system version to link to, but if not, use the source</p>



<a name="161554600"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161554600" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161554600">(Mar 24 2019 at 02:30)</a>:</h4>
<p>I imagine there might be a surprising amount of that sort of thing</p>



<a name="161586024"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161586024" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161586024">(Mar 24 2019 at 16:28)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> Downloading things in build scripts is what makes Google Chrome's build system horrible and what makes NPM packages unportable. It's literally impossible to port some Electron applications to a new platform even if Electron itself was ported because most NPM packages blatantly download x86 binaries to compile or do other various tasks. It clearly should be eliminated, if you require third party stuff tell the user to install a package from their distribution and add to PATH variable, just like openssl-sys or libcurl-sys crates.</p>



<a name="161586065"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161586065" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161586065">(Mar 24 2019 at 16:30)</a>:</h4>
<p>Also for the 10MB limit, can't they create another crate and set it as a dev-dependency?</p>



<a name="161586145"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161586145" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161586145">(Mar 24 2019 at 16:31)</a>:</h4>
<p>I feel like creating as many reusable crates as possible is the way to go.</p>



<a name="161588084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161588084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161588084">(Mar 24 2019 at 17:24)</a>:</h4>
<p>oh, reusability is a good point, I have not considered it</p>



<a name="161595972"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161595972" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161595972">(Mar 24 2019 at 20:44)</a>:</h4>
<p>yeah for sure</p>



<a name="161596039"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161596039" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161596039">(Mar 24 2019 at 20:45)</a>:</h4>
<p><span class="user-mention" data-user-id="214522">@Leo Le Bouter</span> I am definitely not a fan of using ad hoc mechanisms for fetching build dependencies exactly for those reasons. Right now, aside from that, Cargo and <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> are quite good at making sure all build artifacts remain available indefinitely (and are all checksummed in the index)</p>



<a name="161599175"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/161599175" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#161599175">(Mar 24 2019 at 22:07)</a>:</h4>
<p>This also ties into auditing binaries for vulnerable libs: as soon as you get those statically linked C blobs versioned and checksummed, you can have an audit trail and check your binaries for vulnerable dependencies even if those came from C</p>



<a name="165981496"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/165981496" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#165981496">(May 18 2019 at 16:37)</a>:</h4>
<p>made a crate for this: <a href="https://github.com/rust-secure-code/cargo-sandbox" target="_blank" title="https://github.com/rust-secure-code/cargo-sandbox">https://github.com/rust-secure-code/cargo-sandbox</a></p>



<a name="165981500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/165981500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#165981500">(May 18 2019 at 16:37)</a>:</h4>
<p>like cargo-repro it's empty/vaporware</p>



<a name="165981504"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/165981504" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#165981504">(May 18 2019 at 16:37)</a>:</h4>
<p>here's an issue to discuss: <a href="https://github.com/rust-secure-code/cargo-sandbox/issues/3" target="_blank" title="https://github.com/rust-secure-code/cargo-sandbox/issues/3">https://github.com/rust-secure-code/cargo-sandbox/issues/3</a></p>



<a name="166078089"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166078089" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166078089">(May 20 2019 at 11:50)</a>:</h4>
<p>Just to be sure I understand it correctly again! Is it actually about building in a sandboxed environment? Or about running the binary in a sandboxed environment?</p>
<p>If it's the first one!: Do we mean that we should be able to download crates in the sandboxed environment? Or that everything should already be there and isolated?</p>



<a name="166087488"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166087488" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166087488">(May 20 2019 at 14:03)</a>:</h4>
<p>/me thinking the former: crates get downloaded in advance, and then subsequent build-time code execution occurs in a sandbox</p>



<a name="166087587"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166087587" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166087587">(May 20 2019 at 14:04)</a>:</h4>
<p>gaol specifically has a set of capabilities the build process is allowed to do. they could be tweakable, but denying network access by default, well... that's what crater does already</p>



<a name="166138749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166138749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166138749">(May 21 2019 at 03:19)</a>:</h4>
<p>Ahh I think I understand now. It's mainly because there can be a <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> script that can potentially do anything it would like right? I hope to check the mentioned issue/project and contribute some ideas somewhere this week!</p>



<a name="166140409"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166140409" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166140409">(May 21 2019 at 04:03)</a>:</h4>
<p><code>build.rs</code>, proc macros, I think there's stuff beyond that</p>



<a name="166495181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/166495181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#166495181">(May 24 2019 at 22:22)</a>:</h4>
<p>More reasons why builds having access to the network is a bad idea: <a href="https://twitter.com/lukejacksonn/status/1131506699356037121" target="_blank" title="https://twitter.com/lukejacksonn/status/1131506699356037121">https://twitter.com/lukejacksonn/status/1131506699356037121</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/lukejacksonn/status/1131506699356037121" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/905060375128924160/xxTDen1r_normal.jpg"></a><p>So pm2 (a node process manager package on npm) just caused thousands of CI builds to fail because of an "optionalDependency" on a package called gkt which is requested as a tarball from a server that was returning 503. That package consists of one file which contains this: <a href="https://t.co/9lY7yJZFm5" target="_blank" title="https://t.co/9lY7yJZFm5">https://twitter.com/lukejacksonn/status/1131506699356037121/photo/1</a></p><span>- Luke Jackson (@lukejacksonn)</span><div class="twitter-image"><a href="https://t.co/9lY7yJZFm5" target="_blank" title="https://t.co/9lY7yJZFm5"><img src="https://pbs.twimg.com/media/D7PrCdLXYAAi3tP.jpg:small"></a></div></div></div>



<a name="167530269"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/167530269" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> snf <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#167530269">(Jun 06 2019 at 22:54)</a>:</h4>
<p>"<a href="http://domain.com/not-a-targeted-backdoor.js" target="_blank" title="http://domain.com/not-a-targeted-backdoor.js">domain.com/not-a-targeted-backdoor.js</a>". I've seen popular packages in npm using installation telemtry too</p>



<a name="167535142"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/167535142" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#167535142">(Jun 07 2019 at 00:29)</a>:</h4>
<p>hey look, another case-in-point <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span> <a href="https://github.com/RustSec/advisory-db/pull/104/files" target="_blank" title="https://github.com/RustSec/advisory-db/pull/104/files">https://github.com/RustSec/advisory-db/pull/104/files</a></p>



<a name="174850293"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174850293" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174850293">(Sep 04 2019 at 04:24)</a>:</h4>
<p>some fun discussion on this thread <a href="https://internals.rust-lang.org/t/pre-rfc-procmacros-implemented-in-wasm/10860/75?u=bascule" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-procmacros-implemented-in-wasm/10860/75?u=bascule">https://internals.rust-lang.org/t/pre-rfc-procmacros-implemented-in-wasm/10860/75?u=bascule</a></p>



<a name="174850850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174850850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174850850">(Sep 04 2019 at 04:40)</a>:</h4>
<p>(deleted)</p>



<a name="174850867"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174850867" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174850867">(Sep 04 2019 at 04:41)</a>:</h4>
<p>Whoops wrong thread</p>



<a name="174898421"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174898421" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174898421">(Sep 04 2019 at 16:28)</a>:</h4>
<p>The desire to do build-time sandboxing also came up a few times in the enterprise rust meetup at rustconf. one of the other people there even broke down a list of things <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> files tend to do:</p>
<p>1. search for or otherwise wrangle external libraries<br>
2. check rustc version and enable/disable features<br>
3. generate some code to be included in the build<br>
4. (there were 4 of these but i don't remember the fourth one, unfortunately).<br>
most of these are amenable to some form of sandboxing, although number 1 is probably the hardest. number 2 could hypothetically be avoided in more cases if there were a way to query the compiler version info via a builtin cfg(...) thing, which i think there's an RFC for that just nobody has implemented.</p>



<a name="174900392"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174900392" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174900392">(Sep 04 2019 at 16:54)</a>:</h4>
<p>there's been some interesting discussion of using WASM/WASI for this on rust-internals</p>



<a name="174900404"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174900404" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174900404">(Sep 04 2019 at 16:55)</a>:</h4>
<p>which I hadn't seriously considered before but it seems there's a great deal of interest</p>



<a name="174915491"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174915491" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174915491">(Sep 04 2019 at 19:38)</a>:</h4>
<p>a new cfg_if_rusct without <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> showed up on Reddit a couple of days ago</p>



<a name="174916598"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174916598" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174916598">(Sep 04 2019 at 19:52)</a>:</h4>
<p>without a <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a>? how?</p>



<a name="174916761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174916761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174916761">(Sep 04 2019 at 19:54)</a>:</h4>
<p>There's been a crate that does this via a proc-macro attribute for some time: <a href="https://crates.io/crates/rustversion" target="_blank" title="https://crates.io/crates/rustversion">https://crates.io/crates/rustversion</a></p>



<a name="174916846"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174916846" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174916846">(Sep 04 2019 at 19:55)</a>:</h4>
<p>ah right, that makes sense. not really that meaningfully different than <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> though, although i guess proc macros will probably be easier to sandbox</p>



<a name="174919299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174919299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174919299">(Sep 04 2019 at 20:22)</a>:</h4>
<p>(OTOH proc macros that depend on the target environment are probably not very well behaved from the standpoint of related goals like being able to download prebuilt artifacts from <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a>)</p>



<a name="174920522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174920522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174920522">(Sep 04 2019 at 20:36)</a>:</h4>
<p><a href="https://crates.io/crates/if_rust_version" target="_blank" title="https://crates.io/crates/if_rust_version">https://crates.io/crates/if_rust_version</a> this one, doesn't depend on syn either so probably not a proc macro?</p>



<a name="174920602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/174920602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#174920602">(Sep 04 2019 at 20:37)</a>:</h4>
<p>oh it comes with <a href="http://build.rs" target="_blank" title="http://build.rs">build.rs</a> too, just pushes it one level down</p>



<a name="176021805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/176021805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#176021805">(Sep 18 2019 at 16:36)</a>:</h4>
<p>this looks interesting: <a href="https://github.com/rust-lang/rustwide" target="_blank" title="https://github.com/rust-lang/rustwide">https://github.com/rust-lang/rustwide</a></p>



<a name="176021821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/176021821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#176021821">(Sep 18 2019 at 16:37)</a>:</h4>
<p>wrapper for a Docker sandbox used by crater and <a href="http://docs.rs" target="_blank" title="http://docs.rs">docs.rs</a></p>



<a name="176022569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/176022569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#176022569">(Sep 18 2019 at 16:46)</a>:</h4>
<p>also: <a href="https://hub.docker.com/r/rustops/crates-build-env" target="_blank" title="https://hub.docker.com/r/rustops/crates-build-env">https://hub.docker.com/r/rustops/crates-build-env</a></p>



<a name="178125586"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178125586" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178125586">(Oct 14 2019 at 18:17)</a>:</h4>
<p><a href="https://github.com/dtolnay/watt" target="_blank" title="https://github.com/dtolnay/watt">https://github.com/dtolnay/watt</a> - this sure is a step in the right direction, with proc macros being walled off in a small, 100% safe code WASM environment</p>



<a name="178125650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178125650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178125650">(Oct 14 2019 at 18:18)</a>:</h4>
<p>Also helps with reproducible builds</p>



<a name="178126194"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178126194" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178126194">(Oct 14 2019 at 18:25)</a>:</h4>
<p>Yeah saw the relevant rust-internals thread. WASM certainly seems like an interesting way to do sandboxing</p>



<a name="178126268"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178126268" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178126268">(Oct 14 2019 at 18:26)</a>:</h4>
<p>I still want to play with <code>rustwide</code></p>



<a name="178126343"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178126343" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178126343">(Oct 14 2019 at 18:27)</a>:</h4>
<p>We had a long talk about sandboxing the other day at work.  I'm really excited for wasms potential there</p>



<a name="178126761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/178126761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#178126761">(Oct 14 2019 at 18:33)</a>:</h4>
<p><code>build.rs</code> + WASI might be interesting</p>



<a name="179752332"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/179752332" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#179752332">(Nov 03 2019 at 15:52)</a>:</h4>
<p>been playing with Rustwide. It seems pretty cool</p>



<a name="179755424"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/179755424" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#179755424">(Nov 03 2019 at 17:24)</a>:</h4>
<p>Nice! I'm thinking of making Clippy security lints into their own category and then running it rustwide</p>



<a name="181928008"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928008" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928008">(Nov 26 2019 at 14:51)</a>:</h4>
<p><a href="https://github.com/rust-secure-code/cargo-sandbox/issues/8" target="_blank" title="https://github.com/rust-secure-code/cargo-sandbox/issues/8">https://github.com/rust-secure-code/cargo-sandbox/issues/8</a></p>



<a name="181928453"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928453" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928453">(Nov 26 2019 at 14:55)</a>:</h4>
<p>Docker provides a stable CLI for both Linux and Windows</p>



<a name="181928639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928639">(Nov 26 2019 at 14:56)</a>:</h4>
<p>yeah, but there are also at least two promising crates which wrap up docker-based builds (<code>cargo-wharf</code> and <code>rustwide</code>)</p>



<a name="181928660"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928660" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928660">(Nov 26 2019 at 14:57)</a>:</h4>
<p>the latter seems really cool for reproducible builds of released crates</p>



<a name="181928686"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928686" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928686">(Nov 26 2019 at 14:57)</a>:</h4>
<p>not so sure about the sandboxing use case</p>



<a name="181928802"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928802" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928802">(Nov 26 2019 at 14:58)</a>:</h4>
<p>I think that it's been a while and something should be written even if it's as simple as a wrapper over the Docker/Podman CLI</p>



<a name="181928847"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181928847" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181928847">(Nov 26 2019 at 14:58)</a>:</h4>
<p>Perfect solutions certainly do not exist w.r.t sandboxing</p>



<a name="181929106"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929106" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929106">(Nov 26 2019 at 15:00)</a>:</h4>
<p>The issues with the command I posted are:</p>
<p>- Does not work with "path" dependencies<br>
- Does not make sources readonly<br>
- more?</p>



<a name="181929271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929271">(Nov 26 2019 at 15:01)</a>:</h4>
<p>Err, both <code>cargo-wharf</code> and <code>rustwide</code> are fairly new</p>



<a name="181929341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929341">(Nov 26 2019 at 15:02)</a>:</h4>
<p>well, <code>rustwide</code> is old, but that's in terms of it being used to drive crater</p>



<a name="181929354"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929354" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929354">(Nov 26 2019 at 15:02)</a>:</h4>
<p>the extraction into a crate is relatively recent</p>



<a name="181929373"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929373" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929373">(Nov 26 2019 at 15:02)</a>:</h4>
<p>I guess the question is: what would yet another docker wrapper do differently?</p>



<a name="181929428"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929428" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929428">(Nov 26 2019 at 15:03)</a>:</h4>
<p>Aim at the sandboxing use case specially</p>



<a name="181929481"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929481" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929481">(Nov 26 2019 at 15:03)</a>:</h4>
<p>...and what does that entail in your opinion?</p>



<a name="181929610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929610">(Nov 26 2019 at 15:04)</a>:</h4>
<p>the tricky things to me are the little bits like caching intermediate build artifacts</p>



<a name="181929621"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929621" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929621">(Nov 26 2019 at 15:04)</a>:</h4>
<p>which it looks like <code>cargo-wharf</code> does well</p>



<a name="181929734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181929734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181929734">(Nov 26 2019 at 15:05)</a>:</h4>
<p>cargo-wharf looks overcomplicated, my command line uses the current directory's target and caches that and it works well, what else do you want exactly?</p>



<a name="181930013"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930013" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930013">(Nov 26 2019 at 15:08)</a>:</h4>
<p>ok, would you like to submit a PR?</p>



<a name="181930058"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930058" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930058">(Nov 26 2019 at 15:08)</a>:</h4>
<p>I will do so ASAP! I propose to integrate something simple first then change when better solutions or motivated people come up.</p>



<a name="181930090"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930090" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930090">(Nov 26 2019 at 15:09)</a>:</h4>
<p>cool</p>



<a name="181930094"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930094" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930094">(Nov 26 2019 at 15:09)</a>:</h4>
<p>cargo-wharf looks better suited for CI use cases</p>



<a name="181930639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930639">(Nov 26 2019 at 15:14)</a>:</h4>
<p>(deleted)</p>



<a name="181930664"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181930664" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181930664">(Nov 26 2019 at 15:15)</a>:</h4>
<p>(deleted)</p>



<a name="181931120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181931120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181931120">(Nov 26 2019 at 15:19)</a>:</h4>
<p>OK, I get it better now. It builds each and every crate in its own sandbox to avoid them affecting each other's build artifacts.</p>



<a name="181931212"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181931212" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181931212">(Nov 26 2019 at 15:20)</a>:</h4>
<p>Either way, a single artifact can get control over the final binary's execution</p>



<a name="181931912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181931912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181931912">(Nov 26 2019 at 15:26)</a>:</h4>
<p>I have to think about that. A TOML parser/rewriter for passing in path dependencies, few ro/rw bind mounts, some CLI args to control network access with it off by default, a way to provide a custom Dockerfile, or find a way to make the container be based on a CoW version of the host's file system?</p>



<a name="181931962"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181931962" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181931962">(Nov 26 2019 at 15:27)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> ^ To answer on what I think it entails</p>



<a name="181932430"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/181932430" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#181932430">(Nov 26 2019 at 15:31)</a>:</h4>
<p>yeah, sounds like the right general direction</p>



<a name="182710165"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/182710165" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#182710165">(Dec 05 2019 at 22:08)</a>:</h4>
<p><a href="https://benjamincongdon.me/blog/2019/12/04/Fast-Rust-Docker-Builds-with-cargo-vendor/" target="_blank" title="https://benjamincongdon.me/blog/2019/12/04/Fast-Rust-Docker-Builds-with-cargo-vendor/">https://benjamincongdon.me/blog/2019/12/04/Fast-Rust-Docker-Builds-with-cargo-vendor/</a></p>



<a name="186592318"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/186592318" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Leo Le Bouter <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#186592318">(Jan 25 2020 at 23:01)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> Ohh very interesting! Sorry I've been busy, I realize I've been wanting to get things moving but I don't have so much time myself so.. heh</p>



<a name="240056079"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/240056079" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#240056079">(May 24 2021 at 14:08)</a>:</h4>
<p>A new project implementing build-time sandboxing has popped up: <a href="https://github.com/kutometa/carnet">https://github.com/kutometa/carnet</a></p>



<a name="240129898"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/build-time%20sandboxing/near/240129898" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/build-time.20sandboxing.html#240129898">(May 25 2021 at 00:25)</a>:</h4>
<p>neat</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>